For all who have implemented the chroot, beware of a user hard linking a setuid program into the chroot.

The user can then create their own fake supporting files (e.g. /etc/passwd), and the setuid program would use these files thinking they are the real ones. Then, if the user can use this setuid system program to gain root privileges, they can create a new setuid root program that does not require a chroot jail to gain root privileges ..

There are other pitfalls to using chroot.
grsecurity.org provides more information.

I've, unfortunatly, emerged world this morning, which has trashed my server. Keep getting Authentication failure problems. I've recopied any dependancies in case soemthing has changed, but I have a bad feeling it's some change in Baselayout that might have messed up rssh or something.. .as you can tell I'm sketchy on the details here... only brought to my attention 40mins ago

anyone actually try a security test of this? i was thinking about opening up my home server to some friends who are pretty geeky... they are pretty knowledgeable with this kinda stuff and a couple of them are capable of rooting a poorly configured box, and though they wont do any damage (i know where they live) to my box, i know they will try to so i figure might as well make it hard for them!

I think I've found the solution for the "SCP does not work with RSSH" problem!

The file CHROOT that comes with RSSH states:

You may need to copy additional libraries, if your system depends upon them for authentication. For example, in my testing, I needed to copy /lib/libnss_files.so.? into the chroot jail. Without it, the scp command failed, complaining that my user ID was an unknown user. If you use LDAP authentication on the server, you will probably need to also copy libnss_ldap.so.? into your chroot jail.

So I tried it with all /lib/libnss_* files and finally found out that on my Gentoo system (and probably yours) you have to copy /lib/libnss_compat.so.2 into your chroot jail to make SCP work with RSSH!

Edit: I forgot to say that I had to copy my /etc/passwd file into the chroot, too. I don't know, but this makes SCP a bit less attractive for me than SFTP...

anyone having unknown user problem with scp or Exit code 255 with sftp:

what Steffen gave above helped.
I needed /lib/libnss_compat.so.2 copied to lib/ inside chroot.
Works like a charm then.

I solved the problem of having the connection mysteriously close without any further indication in the log files. The first problem is that you need to configure things so rssh_chroot_helper can syslog in the jail. With syslog-ng this is easy by adding another source log pointing to /chroot/jail/dev/log

Then I got rssh_chroot_helper to log enough information to discover that I needed an /etc/passwd (and helpfully tho' apparently not required) /etc/group in the chroot. After adding these, everything worked beautifully.

Also, does anyone know where to get more info/docs on the chroot use flag and how to make use of it, there is no point in having this patch added to portage if there is no doc on what it gives you and how to use it._________________The Human Equation:

I think all of this can be done a lot easier (but correc me if I'm wrong)... If you enable USE=static for openssh and rssh you shouldn't need any libraries at all in the chroot. I think the path for scp and sftp-server can be set in the sshd_config, see the example:

This is in sshd_config by default. So combining these thoughts I think you can make a dir bin in a user's home directory, put all the binaries you need in bin, chroot them in the home directory and you're done... If you're doing this it is also possible to have a /home/chrootbin to which the bin dirs are hardlinked, so you only need to update /home/chrootbin every time you update any of the binaries that you copied to the chroot...
Seems a lot easier too me, but perhaps I'm overlooking something.
Regards,

Michael_________________In a world without walls or fences we don't need windows or gates

thanks for the suggestions, using the static use flag was exactly what I did.

although I'm not sure about the symlinking thing, this may allow chroot breaking.... iirc you should not have any links leading outside of your chroot.

I have instead got a basic skel which i can copy over and will simply bashify updates on this.

EDIT: I tried rssh first, but scponly seems the better option. Someone told me rssh was lame so I checked out scponly and it seems to work well and easier. It uses a // in the home dir path to separate the jail and the home dir inside the jail._________________The Human Equation:

thanks for the suggestions, using the static use flag was exactly what I did.

What did you do with it, scponly doesn't have a static use flag, could you explain the contents and configuration of your chroot a bit more? Doesn't have to be a step by step howto, but an outline will be appreciated...

humbletech99 wrote:

although I'm not sure about the symlinking thing, this may allow chroot breaking.... iirc you should not have any links leading outside of your chroot.

I only partially agree. I wasn't talking about symlinking to the system binaries, but to a copied version in /home. I can't even symlink to system binaries, because they're on a different volume. I'm running a hardened server, I don't think they'll be able to break a lot, and I'm willing to take the risk.

Also, I currently have noexec in /home, my clients are only member of a seperate group and I set umask to 077 so they shouldn't be able to create anything that someone else except root can read, so I doubt if I'm gonna chroot at all... Of course there's write access in /tmp, but /tmp is noexec too. If I were to chroot then I'd also have to add php and apache to the chroot, or else it would be quite useless (php and apache get forked to the user whose content is to be displayed)...

Anyway, I'm still interested in the ways a chroot can be set up, maybe in the future I will have a use for it...
Regards,

Michael_________________In a world without walls or fences we don't need windows or gates

if symlinking jailed bins/libs to /home then noexec may stop the whole thing from working.

where did apache and php come from? you are trying to use sftp to manage a web server?

I created a jail the standard way by recreating a minimal dir structure and then scp makes the chroot call and locks into the jail. This is done by scponly just by setting it to be your shell and then making the home directory of the user /path/to/jail//home/username.

Then you just have to test it to death to make libs work (statically compiling where you can helps)_________________The Human Equation: